From 674349727b4e01cfe0ebe0be33ad82e60773aaa8 Mon Sep 17 00:00:00 2001
From: Dennis Cagle <d-cagle@codeaurora.org>
Date: Mon, 4 Dec 2017 18:00:50 -0800
Subject: [PATCH] qcacld-2.0: Add sanity check to avoid overflow in WMI event
 data

In WMA, data from firmware event buffer is used without
sanity checks for upper limit. This might lead to a potential
integer overflow further leading to buffer corruption.

Add sanity check to avoid integer overflow.

Change-Id: Id47e12015a4d46af24180b621b52ffcb17596c07
CRs-Fixed: 2113919
Bug: 68992426
Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org>
---
 drivers/staging/qcacld-2.0/CORE/SERVICES/WMA/wma.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/drivers/staging/qcacld-2.0/CORE/SERVICES/WMA/wma.c b/drivers/staging/qcacld-2.0/CORE/SERVICES/WMA/wma.c
index 006f89bb9124..1c7e3fdb5923 100644
--- a/drivers/staging/qcacld-2.0/CORE/SERVICES/WMA/wma.c
+++ b/drivers/staging/qcacld-2.0/CORE/SERVICES/WMA/wma.c
@@ -5264,6 +5264,14 @@ static int wma_unified_power_debug_stats_event_handler(void *handle,
 		return -EINVAL;
 	}
 
+	if (param_buf->num_debug_register > ((WMA_SVC_MSG_MAX_SIZE -
+		sizeof(wmi_pdev_chip_power_stats_event_fixed_param)) /
+		sizeof(uint32_t))) {
+		WMA_LOGE("excess payload: LEN num_debug_register:%u",
+			 param_buf->num_debug_register);
+		return -EINVAL;
+	}
+
 	debug_registers = param_tlvs->debug_registers;
 	stats_registers_len =
 			(sizeof(uint32_t) * param_buf->num_debug_register);
-- 
GitLab